HSBC’s “Flaw” Revealed ( & how to protect yourself from it!)

I read in the news today that a bunch of researchers at Cardiff Uni have “discovered” a flaw in HSBC online banking, they don’t say what the flaw is si I’m not 100% sure which one they are referring to..there are many.

They say it’s unique to HSBC.. well that rules out about 7 flaws..leaving just two, they mention that the flaw involves the use of a keystroke recorder.. so that narrows it down to one.

As a retired ex bank hacker myself I’m always careful not to give away any tools or “secrets” that would assist the “would be” hacker, but this exploit is so easy to fix that I’m sure HSBC will have it sorted now that it’s out in the open. Their suggestion that it has not been used by hackers is bullshit, although I retired from active hacking a few years ago (following my release from a 5 yr prison sentence, but that is another story) I keep my ear to the ground and this one has certainly been abused for years.

Here it is….

This exploit depends on two principle cock up’s on the part of HSBC.

Background

HSBC have offered Internet banking for a long time and until early 2003 they relied upon a simple user-name and password approach. HSBC Internet banking evolved from telephone banking and for the customers’ benefit they retained the same password for Internet banking as customers used for telephone banking.

The HSBC telephone banking / Internet banking password can be variable length, though most customers choose a six digit number which is the minimum. The fact that it’s a variable length password increases security exponentially for users who choose a longer pasword, but most users choose their ATM pin number with either a leading or trailing 00 or 99, so if joe bloggs has a pin number of 1979 he would likely choose 001979 or 197900, you get the picture.

Actually, there is a whole science of determining how people will respond to certain questions such as “choose a number of between 6 and 10 digits”, It’s called “Human Stereotype Response”, that’s why a smart hacker has a 1 in 14 chance of hacking your ATM card (assuming you choose the 4 digit pin standing at an ATM machine) given 3 attempts at entering a PIN..statisticaly speaking of course! But again, thats another story!

In 2003, along with most UK banks, HSBC changed their log-on procedure to request a date-of-birth, and to ask for 3 supposed random digits from the numeric password.

Most Internet banking hacks begin with a keystroke logger being active on the machine that a customer uses to access the Internet Banking service (often an internet cafe, hotel or other public computer) so the hacker starts off armed with the username, the date-of birth, and 3 digits of the numeric password.

Problem Time

HSBC have two incredibly stupid flaws at this stage, both of which make the exploit much easier for the criminal hacker, first the sequence of these random numbers is always left to right, which gives a hacker an unfair advantage. The second flaw is the real jewel for the hacker..if the 3 digits are entered incorrectly and the hacker logs out and tries again he will get a different challenge. This is the most fundamental cock-up, because the hacker knows that with a request for 3 out of 6 digits, always in left to right order, there are simply only a handful of options, sooner or later (usually sooner) it will get back to the same question as the one that presented when the “victim” was logged using a keystoke logger.

OK I hear you say..but you only have about 3 chances till the account is locked. Well that’s not true, you see the hacker can try 2 times and then wait till the genuine account holder logs in, thus resetting the amount of tries he has. This trick has been used for years by hackers with cloned ATM cards, instead of 3 chances at entering a PIN number they get 4,6,8 or more attempts by trying 2 every month, not possible with a stolen physical card of course.

The rest is easy peasy, lemon squeezy..as the say in the business, well they did in my day.

Conclusion

Well, the good news is that most serious criminal hackers don’t spend too much time targeting HSBC’s UK customers, there are actually much softer targets and the hacker will usually take the easy route. HSBC depend heavily on secondary measures that make it difficult to move large sums of money out of the victim’s account without being noticed, they normally spot the fraud after it’s happened..but before the customer knows.

To remedy this situation HSBC need to make a couple of very minor changes to the login procedure, but it’s still going to be weak. Conventional access control consists of two parts, “what I have” (key, card, token) and “what I know” (password, pin etc). Internet banking relies simply on the “what I know” element which is always going to be problem.

How Protect yourself from this flaw.. change your internet password and make it greater than the 6 digit minimum, never use a public computer, always enter the information on the log in screen in a random order..ie enter 2 digits of your DOB, then the first 4 digits of your password, then the rest of your DOB, then the rest of your password.. that way the output from the keystroke logger will be useless to the hacker!

Written by Andy, ex-hacker, ex-con and ex-pat!

Advertisements

Like this:

LikeLoading...

8 Comments

Martin Smythe said,

I tried this when I first read this story, but I noticed today when I tried the same thing that it no longer changes the challange..not for me anyway. But you are right, by always going left to right for a 6 digit PIN there are only so many combinations.

Benumin said,

I know this was posted quite a while back, however, I was wondering if you have any information regarding the ‘Human stereotype respones’ that you mention, do you know of any research papers on this?

btw, I am interested to know how such an exploit as the one mentioned above could be done within 9 attempts. Looking at the different combinations possible it’s clear that there are more than 9 possiblities, so how can this be.

Thanks.

James said,

Hsbc has many holes in its online system they dont know and dont want to fix coz they are filled with a bunch of people who are not responsible. Take my case when I as an employee told them of a flaw where hackers can take out money and another issue, they simply did not bother. Check out the complete story on http://hijameshi.spaces.live.com

Behind all its big talk, Hsbc will do anything for money, cheat its customers by making false promises to get them to open accounts, indulge in money laundering if the price is right, Launder Fake money for Terrorists et al, so dont be surprised there were flaws, forget Hsbc’s big talk there werent.

I did a lot of work more than 10 years ago on the effect of Human Stereotype Response on PIN numbers when customers were presented with the opportunity to choose a 4 digit number at an ATM machine.

There is a very distinct top 10 PIN numbers, it’s no coincidence that 1234 is not allowed! Using intelligent “guesses” my research showed that there was a 1 in 14 chance of getting it right by trying the top 3 PIN numbers. To a fraudster that means that he will be able to use an average of 14 out of every 100 cloned cards. Stolen and reported cards are different because they will be on a stop list, but where a fraudster can clone or produce 10,000 cards he would be able to use 1400 of those, the average yield on a working cloned card is quite high so it’s well worth the trouble for a determined hacker.

I was a ATM hacker many years ago, I was sentenced to more than 5 years in prison without parole so I consider my debt to society to be repaid in full.

Today ATM fraud is much more common and increasingly hi-tech and the fraudster is likely to have much more resources than in my day, also there is a lot of involvement by organised crime these days.

I dont agree with most of what James says in comment 3, but I dont feel inclined to remove it as he is entitled to his opinion.

My article was about HSBC simply because it was topical when I wrote it, that particular flaw appears to have been fixed now anyway.

All banks have to balance usability versus security, always have and always will. That balance is delicate and changes are dynamic. Actually, I think HSBC are one of the better banks when it comes to responding to known threats and also their customer service, but thats just an opinion too.